suricata
log-droplog.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Drop log module to log the dropped packet information in a format
25  * compatible to Linux' Netfilter.
26  */
27 
28 #include "suricata-common.h"
29 #include "debug.h"
30 #include "detect.h"
31 #include "flow.h"
32 #include "conf.h"
33 
34 #include "threads.h"
35 #include "tm-threads.h"
36 #include "threadvars.h"
37 #include "util-debug.h"
38 
39 #include "decode-ipv4.h"
40 #include "detect-parse.h"
41 #include "detect-engine.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-reference.h"
44 
45 #include "output.h"
46 #include "log-droplog.h"
47 
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
51 #include "util-privs.h"
52 #include "util-print.h"
53 #include "util-proto-name.h"
54 #include "util-logopenfile.h"
55 #include "util-time.h"
56 
57 #define DEFAULT_LOG_FILENAME "drop.log"
58 
59 #define MODULE_NAME "LogDropLog"
60 
61 typedef struct LogDropLogThread_ {
62  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
64  uint64_t drop_cnt;
66 
67 /**
68  * \brief Initialize the droplog thread
69  * \param t Pointer the current thread variable
70  * \param initdata pointer to the output context
71  * \param data Pointer to the pointer to droplog thread to be initialized
72  *
73  * \return TM_ECODE_OK on success
74  */
75 static TmEcode LogDropLogThreadInit(ThreadVars *t, const void *initdata, void **data)
76 {
77  if(initdata == NULL) {
78  SCLogDebug("Error getting context for LogDropLog. \"initdata\" argument NULL");
79  return TM_ECODE_FAILED;
80  }
81 
83  if (unlikely(dlt == NULL))
84  return TM_ECODE_FAILED;
85  memset(dlt, 0, sizeof(LogDropLogThread));
86 
87  /** Use the Ouptut Context (file pointer and mutex) */
88  dlt->file_ctx = ((OutputCtx *)initdata)->data;
89 
90  *data = (void *)dlt;
91  return TM_ECODE_OK;
92 }
93 
94 /**
95  * \brief Deinitialize the droplog thread
96  * \param t Pointer the current thread variable
97  * \param data Pointer to the droplog thread to be cleared
98  *
99  * \return TM_ECODE_OK on success
100  */
101 static TmEcode LogDropLogThreadDeinit(ThreadVars *t, void *data)
102 {
103  LogDropLogThread *dlt = (LogDropLogThread *)data;
104  if (dlt == NULL) {
105  return TM_ECODE_OK;
106  }
107 
108  /* clear memory */
109  memset(dlt, 0, sizeof(LogDropLogThread));
110 
111  SCFree(dlt);
112  return TM_ECODE_OK;
113 }
114 
115 /**
116  * \brief Destroy the LogFileCtx and cleared "drop" output module
117  *
118  * \param output_ctx pointer the output context to be cleared
119  */
120 static void LogDropLogDeInitCtx(OutputCtx *output_ctx)
121 {
123 
124  if (output_ctx != NULL) {
125  LogFileCtx *logfile_ctx = (LogFileCtx *)output_ctx->data;
126  if (logfile_ctx != NULL) {
127  LogFileFreeCtx(logfile_ctx);
128  }
129  SCFree(output_ctx);
130  }
131 }
132 
133 /**
134  * \brief Create a new LogFileCtx for "drop" output style.
135  * \param conf The configuration node for this output.
136  * \return A LogFileCtx pointer on success, NULL on failure.
137  */
138 static OutputInitResult LogDropLogInitCtx(ConfNode *conf)
139 {
140  OutputInitResult result = { NULL, false };
141  if (OutputDropLoggerEnable() != 0) {
142  SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
143  "can be enabled");
144  return result;
145  }
146 
147  LogFileCtx *logfile_ctx = LogFileNewCtx();
148  if (logfile_ctx == NULL) {
149  SCLogDebug("LogDropLogInitCtx: Could not create new LogFileCtx");
150  return result;
151  }
152 
153  if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
154  LogFileFreeCtx(logfile_ctx);
155  return result;
156  }
157 
158  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
159  if (unlikely(output_ctx == NULL)) {
160  LogFileFreeCtx(logfile_ctx);
161  return result;
162  }
163  output_ctx->data = logfile_ctx;
164  output_ctx->DeInit = LogDropLogDeInitCtx;
165 
166  result.ctx = output_ctx;
167  result.ok = true;
168  return result;
169 }
170 
171 /**
172  * \brief Log the dropped packets in netfilter format when engine is running
173  * in inline mode
174  *
175  * \param tv Pointer the current thread variables
176  * \param p Pointer the packet which is being logged
177  * \param data Pointer to the droplog struct
178  *
179  * \return return TM_EODE_OK on success
180  */
181 static int LogDropLogNetFilter (ThreadVars *tv, const Packet *p, void *data)
182 {
183  LogDropLogThread *dlt = (LogDropLogThread *)data;
184  uint16_t proto = 0;
185  char timebuf[64];
186 
187  CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
188 
189  SCMutexLock(&dlt->file_ctx->fp_mutex);
190 
191  if (dlt->file_ctx->rotation_flag) {
192  dlt->file_ctx->rotation_flag = 0;
193  if (SCConfLogReopen(dlt->file_ctx) != 0) {
194  /* Rotation failed, error already logged. */
196  return TM_ECODE_FAILED;
197  }
198  }
199 
200  char srcip[46] = "";
201  char dstip[46] = "";
202 
203  if (PKT_IS_IPV4(p)) {
204  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, 16);
205  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, 16);
206  fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16" "
207  "TOS=0x%02"PRIu8" TTL=%"PRIu8" ID=%"PRIu16"", timebuf,
208  srcip, dstip, IPV4_GET_IPLEN(p), IPV4_GET_IPTOS(p),
210  proto = IPV4_GET_IPPROTO(p);
211  } else if (PKT_IS_IPV6(p)) {
212  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
213  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
214  fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16""
215  " TC=%"PRIu32" HOPLIMIT=%"PRIu8" FLOWLBL=%"PRIu32"", timebuf,
216  srcip, dstip, IPV6_GET_PLEN(p), IPV6_GET_CLASS(p),
218  proto = IPV6_GET_L4PROTO(p);
219  }
220 
221  if (SCProtoNameValid(proto) == TRUE) {
222  fprintf(dlt->file_ctx->fp, " PROTO=%s",known_proto[proto]);
223  } else {
224  fprintf(dlt->file_ctx->fp, " PROTO=%03"PRIu16"",proto);
225  }
226 
227  switch (proto) {
228  case IPPROTO_TCP:
229  if (PKT_IS_TCP(p)) {
230  fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16" "
231  "SEQ=%"PRIu32" ACK=%"PRIu32" WINDOW=%"PRIu32"",
233  TCP_GET_ACK(p), TCP_GET_WINDOW(p));
234  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_SYN(p) ? " SYN" : "");
235  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_ACK(p) ? " ACK" : "");
236  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_PUSH(p) ? " PSH" : "");
237  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_RST(p) ? " RST" : "");
238  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_URG(p) ? " URG" : "");
239  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_FIN(p) ? " FIN" : "");
240  fprintf(dlt->file_ctx->fp, " RES=0x%02"PRIu8" URGP=%"PRIu16"",
242  }
243  break;
244  case IPPROTO_UDP:
245  if (PKT_IS_UDP(p)) {
246  fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16""
247  " LEN=%"PRIu16"", UDP_GET_SRC_PORT(p),
249  }
250  break;
251  case IPPROTO_ICMP:
252  if (PKT_IS_ICMPV4(p)) {
253  fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu8" CODE=%"PRIu8""
254  " ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV4_GET_TYPE(p),
256  } else if (PKT_IS_ICMPV6(p)) {
257  fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu8" CODE=%"PRIu8""
258  " ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV6_GET_TYPE(p),
260  }
261  break;
262  default:
263  fprintf(dlt->file_ctx->fp," Unknown protocol");
264  }
265 
266  fprintf(dlt->file_ctx->fp,"\n");
267 
268  fflush(dlt->file_ctx->fp);
269 
270  dlt->drop_cnt++;
272 
273  return TM_ECODE_OK;
274 
275 }
276 
277 /**
278  * \brief Check if we need to drop-log this packet
279  *
280  * \param tv Pointer the current thread variables
281  * \param p Pointer the packet which is tested
282  *
283  * \retval bool TRUE or FALSE
284  */
285 static int LogDropCondition(ThreadVars *tv, const Packet *p)
286 {
287  if (!EngineModeIsIPS()) {
288  SCLogDebug("engine is not running in inline mode, so returning");
289  return FALSE;
290  }
291  if (PKT_IS_PSEUDOPKT(p)) {
292  SCLogDebug("drop log doesn't log pseudo packets");
293  return FALSE;
294  }
295 
296  if (p->flow != NULL) {
297  int ret = FALSE;
298  if (p->flow->flags & FLOW_ACTION_DROP) {
300  ret = TRUE;
301  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
302  ret = TRUE;
303  }
304  return ret;
305  } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
306  return TRUE;
307  }
308 
309  return FALSE;
310 }
311 
312 /**
313  * \brief Log the dropped packets when engine is running in inline mode
314  *
315  * \param tv Pointer the current thread variables
316  * \param data Pointer to the droplog struct
317  * \param p Pointer the packet which is being logged
318  *
319  * \retval 0 on succes
320  */
321 static int LogDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
322 {
323 
324  int r = LogDropLogNetFilter(tv, p, thread_data);
325  if (r < 0)
326  return -1;
327 
328  if (p->flow) {
329  if (p->flow->flags & FLOW_ACTION_DROP) {
332  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
334  }
335  }
336  return 0;
337 }
338 
339 static void LogDropLogExitPrintStats(ThreadVars *tv, void *data)
340 {
341  LogDropLogThread *dlt = (LogDropLogThread *)data;
342  if (dlt == NULL) {
343  return;
344  }
345 
346  SCLogInfo("(%s) Dropped Packets %" PRIu64 "", tv->name, dlt->drop_cnt);
347 }
348 
349 /***************************** Unittests ****************************/
350 
351 #ifdef UNITTESTS
352 
353 /** \brief test if the action is drop then packet should be logged */
354 static int LogDropLogTest01(void)
355 {
356  int result = 0;
358 
359  uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n"
360  "Host: one.example.org\r\n";
361 
362  uint16_t buflen = strlen((char *)buf);
363  Packet *p = NULL;
364  ThreadVars th_v;
365  DetectEngineThreadCtx *det_ctx;
366  LogDropLogThread dlt;
367  LogFileCtx *logfile_ctx = LogFileNewCtx();
368  if (logfile_ctx == NULL) {
369  printf("Could not create new LogFileCtx\n");
370  return 0;
371  }
372 
373  memset (&dlt, 0, sizeof(LogDropLogThread));
374  dlt.file_ctx = logfile_ctx;
375  dlt.file_ctx->fp = stdout;
376 
377  memset(&th_v, 0, sizeof(th_v));
378  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
379 
381  if (de_ctx == NULL) {
382  return result;
383  }
384 
385  de_ctx->flags |= DE_QUIET;
386 
389 
390  de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any "
391  "(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
392 
393  SigGroupBuild(de_ctx);
394  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
395 
396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
397  if (p->alerts.cnt == 1 && (PACKET_TEST_ACTION(p, ACTION_DROP)))
398  result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
399 
400  if (LogDropCondition(NULL, p) == TRUE)
401  LogDropLogger(NULL, &dlt, p);
402 
403  if (dlt.drop_cnt == 0) {
404  printf("Packet should be logged but its not\n");
405  result = 0;
406  }
407 
408  SigGroupCleanup(de_ctx);
409  SigCleanSignatures(de_ctx);
410  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
411  DetectEngineCtxFree(de_ctx);
412 
413  UTHFreePackets(&p, 1);
415  return result;
416 }
417 
418 /** \brief test if the action is alert then packet shouldn't be logged */
419 static int LogDropLogTest02(void)
420 {
421  int result = 0;
423 
424  uint8_t *buf = (uint8_t *) "GET";
425 
426  uint16_t buflen = strlen((char *)buf);
427  Packet *p = NULL;
428  ThreadVars th_v;
429  DetectEngineThreadCtx *det_ctx;
430  LogDropLogThread dlt;
431  LogFileCtx *logfile_ctx = LogFileNewCtx();
432  if (logfile_ctx == NULL) {
433  printf("Could not create new LogFileCtx\n");
434  return 0;
435  }
436 
437  memset (&dlt, 0, sizeof(LogDropLogThread));
438  dlt.file_ctx = logfile_ctx;
439  dlt.file_ctx->fp = stdout;
440 
441  memset(&th_v, 0, sizeof(th_v));
442  p = UTHBuildPacket(buf, buflen, IPPROTO_UDP);
443 
445  if (de_ctx == NULL) {
446  return result;
447  }
448 
449  de_ctx->flags |= DE_QUIET;
450 
453 
454  de_ctx->sig_list = SigInit(de_ctx, "alert udp any any -> any any "
455  "(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
456 
457  SigGroupBuild(de_ctx);
458  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
459 
460  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
461  if (p->alerts.cnt == 1 && p->alerts.alerts[0].action != ACTION_DROP)
462  result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
463 
464  if (LogDropCondition(NULL, p) == TRUE)
465  LogDropLogger(NULL, &dlt, p);
466 
467  if (dlt.drop_cnt != 0) {
468  printf("Packet shouldn't be logged but it is\n");
469  result = 0;
470  }
471 
472  SigGroupCleanup(de_ctx);
473  SigCleanSignatures(de_ctx);
474  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
475  DetectEngineCtxFree(de_ctx);
476 
477  UTHFreePackets(&p, 1);
478 
480  return result;
481 }
482 
483 /**
484  * \brief This function registers unit tests for AlertFastLog API.
485  */
486 static void LogDropLogRegisterTests(void)
487 {
488  UtRegisterTest("LogDropLogTest01", LogDropLogTest01);
489  UtRegisterTest("LogDropLogTest02", LogDropLogTest02);
490 }
491 #endif
492 
493 /** \brief function to register the drop log module */
495 {
497  LogDropLogInitCtx, LogDropLogger, LogDropCondition,
498  LogDropLogThreadInit, LogDropLogThreadDeinit, LogDropLogExitPrintStats);
499 #ifdef UNITTESTS
500  LogDropLogRegisterTests();
501 #endif
502 }
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:212
#define TCP_GET_RAW_X2(tcph)
Definition: decode-tcp.h:66
char * known_proto[256]
uint8_t SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:443
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:860
#define FALSE
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:256
#define IPV4_GET_IPPROTO(p)
Definition: decode-ipv4.h:148
void LogDropLogRegister(void)
function to register the drop log module
Definition: log-droplog.c:494
#define unlikely(expr)
Definition: util-optimize.h:35
uint64_t drop_cnt
Definition: log-droplog.c:64
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:213
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define UDP_GET_SRC_PORT(p)
Definition: decode-udp.h:36
Signature * sig_list
Definition: detect.h:729
uint8_t action
Definition: decode.h:269
#define FLOW_ACTION_DROP
Definition: flow.h:64
#define ICMPV6_GET_ID(p)
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:89
int OutputDropLoggerEnable(void)
Definition: output.c:846
#define PKT_IS_IPV6(p)
Definition: decode.h:250
#define TCP_GET_WINDOW(p)
Definition: decode-tcp.h:108
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ICMPV6_GET_SEQ(p)
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
#define MODULE_NAME
Definition: log-droplog.c:59
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
LogFileCtx * file_ctx
Definition: log-droplog.c:63
TCPHdr * tcph
Definition: decode.h:520
int EngineModeIsIPS(void)
Definition: suricata.c:239
#define ICMPV4_GET_TYPE(p)
#define TRUE
#define ICMPV4_GET_SEQ(p)
#define SCMutexLock(mut)
#define PKT_IS_IPV4(p)
Definition: decode.h:249
main detection engine ctx
Definition: detect.h:723
#define TCP_ISSET_FLAG_SYN(p)
Definition: decode-tcp.h:114
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:292
const struct Signature_ * s
Definition: decode.h:271
#define DE_QUIET
Definition: detect.h:296
#define ICMPV6_GET_CODE(p)
#define SCCalloc(nm, a)
Definition: util-mem.h:197
#define TCP_GET_SEQ(p)
Definition: decode-tcp.h:106
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:158
#define SCMutexUnlock(mut)
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:87
uint8_t flags
Definition: detect.h:724
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:218
#define TCP_ISSET_FLAG_URG(p)
Definition: decode-tcp.h:118
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define PKT_IS_ICMPV6(p)
Definition: decode.h:254
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define IPV6_GET_FLOW(p)
Definition: decode-ipv6.h:83
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
SCMutex fp_mutex
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
#define PKT_IS_TOSERVER(p)
Definition: decode.h:255
#define IPV6_GET_CLASS(p)
Definition: decode-ipv6.h:81
#define UDP_GET_LEN(p)
Definition: decode-udp.h:35
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define FLOW_TOCLIENT_DROP_LOGGED
Definition: flow.h:74
uint8_t proto
#define IPV6_GET_L4PROTO(p)
Definition: decode-ipv6.h:92
char * class_msg
Definition: detect.h:555
#define IPV4_GET_IPLEN(p)
Definition: decode-ipv4.h:127
Definition: conf.h:32
#define TCP_ISSET_FLAG_RST(p)
Definition: decode-tcp.h:115
OutputCtx * ctx
Definition: output.h:42
#define SCMalloc(a)
Definition: util-mem.h:166
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:217
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
#define ICMPV4_GET_ID(p)
#define SCFree(a)
Definition: util-mem.h:228
#define PKT_IS_TCP(p)
Definition: decode.h:251
#define TCP_ISSET_FLAG_ACK(p)
Definition: decode-tcp.h:117
void EngineModeSetIDS(void)
Definition: suricata.c:254
#define UDP_GET_DST_PORT(p)
Definition: decode-udp.h:37
void OutputDropLoggerDisable(void)
Definition: output.c:854
#define ICMPV6_GET_TYPE(p)
void * data
Definition: tm-modules.h:81
#define PKT_IS_ICMPV4(p)
Definition: decode.h:253
#define GET_TCP_DST_PORT(p)
Definition: decode.h:220
#define IPV4_GET_IPTOS(p)
Definition: decode-ipv4.h:125
int SCConfLogReopen(LogFileCtx *log_ctx)
Reopen a regular log file with the side-affect of truncating it.
PacketAlerts alerts
Definition: decode.h:555
char name[16]
Definition: threadvars.h:59
#define TCP_GET_URG_POINTER(p)
Definition: decode-tcp.h:109
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1131
struct LogDropLogThread_ LogDropLogThread
#define TCP_ISSET_FLAG_PUSH(p)
Definition: decode-tcp.h:116
uint16_t cnt
Definition: decode.h:291
#define PKT_IS_UDP(p)
Definition: decode.h:252
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:449
#define DEFAULT_LOG_FILENAME
Definition: log-droplog.c:57
#define ACTION_DROP
#define TCP_GET_ACK(p)
Definition: decode-tcp.h:107
#define TCP_ISSET_FLAG_FIN(p)
Definition: decode-tcp.h:113
#define GET_TCP_SRC_PORT(p)
Definition: decode.h:219
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
void EngineModeSetIPS(void)
Definition: suricata.c:249
#define IPV4_GET_IPID(p)
Definition: decode-ipv4.h:129
FILE * SCClassConfGenerateValidDummyClassConfigFD01(void)
Creates a dummy classification file, with all valid Classtypes, for testing purposes.
uint32_t flags
Definition: flow.h:379
#define FLOW_TOSERVER_DROP_LOGGED
Definition: flow.h:72
void CreateTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:237
DetectEngineCtx * DetectEngineCtxInit(void)
#define IPV4_GET_IPTTL(p)
Definition: decode-ipv4.h:146
#define ICMPV4_GET_CODE(p)